Cybersecurity researchers have disclosed a spear-phishing campaign attributed to the Pakistan-aligned SideCopy group, targeting Afghanistan’s Ministry of Finance with an open-source remote access trojan known as Xeno RAT. The campaign, codenamed Operation XENOFISCAL, also targeted provincial revenue and finance directorates, Pashto-speaking government officials and provincial-level government employees.
Pashto-Language Lure Used in Spear-Phishing Campaign
According to a technical breakdown by Seqrite Labs researcher Dixit Panchal, the campaign begins with a spear-phishing delivery involving a ZIP archive containing a malicious Windows Shortcut file. The file carried a carefully crafted Pashto-language filename, which researchers said reflected familiarity with the target environment.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Researchers noted that the use of Pashto appeared to be a deliberate choice, as it is widely used in Afghan government circles. The attack was designed to make the lure appear relevant to the intended recipients.
SideCopy has been described as a Pakistan-linked threat group operating under the broader Transparent Tribe, also known as APT36, umbrella. The group has been associated with the use of multiple malware families to steal sensitive data from compromised systems.
Xeno RAT Deployed Through Malicious Shortcut File
Researchers said that once executed, the Windows Shortcut file used “mshta.exe” to fetch a remote HTML Application from a compromised Afghan education domain. This led to the execution of obfuscated JavaScript in memory.
The malware also established registry-based persistence by mimicking Microsoft Edge. It then dropped Xeno RAT 1.8.7 and a decoy document as a distraction through a DLL-based loader.
Xeno RAT is designed to connect with a remote server over TCP to handle commands sent by the operator. The malware can load and execute external DLL modules, transmit data to a server, launch through a scheduled task, retrieve antivirus information, support SOCKS5 proxy-based network tunneling and perform file operations.
Broader South Asian Cyber Activity Under Focus
Researchers said Xeno RAT can also log keystrokes, take screenshots, monitor the clipboard, track webcam and microphone activity, remove persistence methods and uninstall itself from the infected host.
The report described the latest campaign as a continuation of a broader cluster of malicious cyber activity aimed at South Asian entities. In April 2025, the same adversary was attributed to attacks targeting various sectors in India using Xeno RAT, Spark RAT and CurlBack RAT.
The article also referred to a separate targeted phishing operation assessed to be the work of Transparent Tribe, which used weaponized Linux .desktop files to target Indian military infrastructure through contract-related lures linked to Indian armored vehicle procurement. Security researcher R.D. Tarun said that campaign appeared to target individuals connected to Indian military and defense infrastructure using WhatsApp-based social engineering and staged shell payload delivery.
